Should Enterprise Risk Management (ERM), Internal Control, Compliance, and Internal Audit Be Separate or Combined?

Should Enterprise Risk Management (ERM), Internal Control, Compliance, and Internal Audit Be Separate or Combined?

One of the most frequently asked questions in the GRC space, and one that Boards and Committees frequently ask as well is “Whether Enterprise Risk Management (ERM), Internal Control, Compliance, and Internal Audit should exist as separate functions within an organization or be combined into a single assurance function?”. This question is most commonly raised in organizations and industries where regulators have not prescribed a specific governance or reporting structure for ERM, Compliance, Internal Control and Internal Audit functions

My answer to the question is: it depends.

Why?

Every organization, regardless of industry, operates across four key operational levels:

  • Governance Operations
  • Core Operations
  • Support Operations
  • Assurance Operations

The visibility, structure, and maturity of these operational levels depend largely on the organization’s size, complexity, business model, and risk profile.

Within the Assurance Operations layer are four distinct but complementary functions:

  • Enterprise Risk Management (ERM)
  • Internal Control
  • Regulatory Compliance
  • Internal Audit

In addition to these internal assurance functions, organizations are also subject to statutory and industry assurance requirements, including external financial statement audits, technical audits, operational and process audits, regulatory inspections, and product or quality certification audits. These are typically performed by qualified and independent external parties in fulfilment of legal, regulatory, and contractual obligations.

Collectively, the objective of these internal assurance functions is to strengthen organizational performance by promoting effective governance, proactive risk management, robust internal controls, regulatory compliance, and the achievement of strategic objectives.

Although these functions work closely together and complement one another, each has a distinct purpose, scope, and responsibility.

Enterprise Risk Management (ERM)

ERM establishes the organization’s enterprise risk management framework by developing policies, methodologies, and guidelines for identifying, assessing, evaluating, treating, monitoring, and reporting enterprise-wide risks.

It also coordinates the implementation of the ERM framework through awareness programmes, training, advisory support, continuous monitoring, and periodic reporting to ensure that risk management is effectively embedded into day-to-day decision-making and operations.

Internal Control

The Internal Control function develops the organization’s internal control framework by establishing policies, standards, and control guidelines designed to mitigate operational, financial, technology, strategic, and compliance risks.

It supports management in implementing effective controls, provides awareness and training, monitors control performance, promotes continuous improvement, and helps embed sound control practices across the organization.

Regulatory Compliance

The Compliance function establishes the regulatory compliance framework by developing policies, procedures, and guidelines that enable the organization to comply with applicable laws, regulations, industry standards, contractual obligations, and internal policies.

The function also coordinates implementation through awareness programmes, training, compliance monitoring, regulatory reporting, liaison with regulators, compliance advisory services, and continuous monitoring to ensure compliance requirements are embedded into business operations.

Internal Audit

Internal Audit provides independent and objective assurance and advisory services on the effectiveness of governance, risk management, internal controls, and compliance processes.

The function establishes the methodology, policies, procedures, and quality standards for executing internal audit activities while conducting independent risk-based reviews and providing recommendations that enhance governance, improve operational effectiveness, strengthen internal controls, and support organizational performance.

Unlike the other three functions, Internal Audit does not own or manage risks, controls, or compliance activities. Instead, it independently evaluates whether these frameworks are appropriately designed and operating effectively.

Because Internal Audit provides independent assurance, it must objectively assess the effectiveness of the ERM, Internal Control, and Compliance functions. Consequently, Internal Audit should maintain sufficient organizational independence from the functions it evaluates.

How should these functions be structured?

There is no one-size-fits-all answer. The most appropriate structure depends on the organization’s size, complexity, business model, regulatory environment, risk profile and governance maturity.

My Views:

– The focus should be to empower each to deliver its intended value while collectively strengthening decision-making & achievement of strategic objectives

– Internal Audit should remain a separate function in line with the IIA to maintain its independence and objectivity, since it provides independent assurance over the effectiveness of ERM, Internal Control, and Compliance processes. It maintains functional reporting to board audit committee.

– ERM, Internal Control and Compliance may be separate or combined. Whether they are separated or combined, their respective roles should be clearly defined, documented, communicated and understood to preserve effectiveness, objectivity & avoid conflicts of interest. The reporting line should be to an appropriately empowered executive such as a CRO or Company Secretary to provide sufficient authority to challenge management decisions & influence risk-informed decisions. In highly regulated sectors, such as banks, regulators typically expect ERM, Compliance & Internal Control to maintain formal reporting relationship with designated Board committees.

– In organizations with both Group and subsidiary structures, the internal assurance framework should mirror the overall governance structure. Ideally, the Group-level assurance structure should include clearly defined responsibilities for:

  • Enterprise Risk Management
  • Internal Control
  • Regulatory Compliance
  • Internal Audit

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *